Stop Putting Band-Aids on Healthcare Network Security

Healthcare organizations are main targets for hackers. These institutions are rich troves of data, routinely collecting and storing information about personal identification, health records and finances such as credit card numbers and bank accounts.

According to a 2016 Ponemon study, 90% of healthcare organizations represented in the survey had a data breach within the last two years, and almost half (45%) experienced more than five data breaches over the same time period. Now the estimated annual cost of breaches in the healthcare industry is a towering $6.2 billion.

It’s no surprise, then, that security ranks as the number one issue for healthcare organizations.

Data is important to healthcare. The industry is made up of highly distributed organizations that each possess several pockets of information—you have central hospitals, outlying critical care clinics, and individual doctors’ offices and laboratories. Each of these departments collects, processes, stores and transmits data that is relied upon to make critical health decisions. Securely sharing this information is essential for a healthcare organization to operate efficiently and effectively.

Additionally, according to a 2018 survey by Oxford Economics and the SAP Center for Business Insight, 34% of healthcare institutions have achieved as least some of their digital transformation goals, where 54% are in the piloting stage, and 23% still planning. This includes initiatives for delivering digital services and products through new channels using reengineered processes. In other words, digital technology is no longer limited to making existing work more efficient; it is driving new operational models.

This makes the network, specifically the wide area network (WAN), the center of operations. The WAN must do many things, and do them well. It must be high performing, scale as necessary—and, most importantly—meet high security requirements.

Unfortunately, many healthcare organizations have fallen behind when it comes to their networks. Many still have older, inflexible legacy networks installed, and as a result, in 2016 more than a third (36.3%) said they were struggling with critical compliance mandates, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA), the latter of which industry experts predict will present a huge obstacle for many healthcare organizations due to their outdated network infrastructures.

Moreover, the addition of HITECH to HIPAA means that healthcare organizations are not only responsible for disclosing their own breaches, but that they must hold their business associates and service providers responsible as well. This expanded culpability is beyond the boundaries of a private point network solution.

Increasingly, healthcare organizations are upgrading their legacy networks to a software-defined wide area network (SD-WAN) as a way to bolster security while also saving money and enjoying higher-performing networks.

How SD-WAN Improves Security: Segmentation

Traditional WAN has always served well to connect enterprise networks over broad distances, which can include remote data centers as well as branch and satellite offices. But an SD-WAN adapts in real time to the needs of the users. For example, it ensures that healthcare organizations’ networks can accommodate important clinical applications that can include transmission of voice, video or large file transfers. A traditional WAN can’t accommodate these kinds of fluctuating demands for bandwidth.

But what does SD-WAN have to do with security? In a word: segmentation.

Suddenly, everyone is talking about network segmentation. Whether referred to as micro-segmentation, hyper-segmentation, or nano-segmentation, the overall objective in each case is similar. Network segmentation is when you create different “zones” in different parts of the network to protect the data that resides in one given zone from other zones. Without authorization, nothing or no one can interact with—or even see—anything else on a segmented network.

Segmentation is not a new concept, but previously, it was very difficult to implement since it had to be manually coded on each device that was connected to the enterprise network.  It was virtually impossible to have a segmented network agile enough to stay up-to-date with business requirements.

All of that changes with SD-WAN, which applies a virtual “overlay” network on top of the physical network. With this virtual network, you have the ability to segment outside the data center onto the enterprise WAN in any way you choose. For example, a hospital might want to put all of its intelligent connected devices—x-ray machines and heart monitors—into one segment, while creating a different segment for visitors who sign onto the Wi-Fi network as guests. That way, there’s no concern that a breach on the guest network could affect a sensitive piece of connected digital equipment. As you can imagine, when life-or-death scenarios arise in healthcare institutions, segmentation is very attractive.

SD-WAN has other features that make it perfect for segmentation, including visibility into the entire network, centralized control, and policy-based provisioning and patching. But with the ability to segment networks and isolate traffic, healthcare organizations are able to prevent the kinds of attacks that start out minor but quickly evolve into the mega breaches that end up as financial and public relations nightmares.

  • Creating segmentation-based policies. Having this option allows you to create a policy that would always reserve fast-performing network circuits for critical patient-centered applications while relegating guest Wi-Fi traffic to slower circuits.
  • Enforcing specific network security policies by segment. Security policies allow you to run any unidentified BYOD devices through a special demilitarized zone (DMZ) for special treatment before permitting them network access.
  • Preventing cyberattacks that originate in a small remote office from spreading to the rest of the network by putting up barriers to traffic between the segmented remote office and the enterprise network. Additionally, network function virtualization (NFV) enables SD-WAN to assign virtual firewalls and security appliances to specific application environments and network segments.

Healthcare companies require robust network infrastructures that integrate routing, centralized policy and orchestration to provide a secure network with innate capabilities for end-to-end segmentation. Adding software-defined networking capabilities to the WAN to create the SD-WAN is fast becoming the accepted and safest solution.

For more information on how CenturyLink can help with your healthcare network needs, visit